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Abstract —Difference constraints have been used for termination 
analysis in the literature, vrhere they denote relational inequalities 
of the form x' < y + c, and describe that the value of x in the 
current state is at most the value of y in the previous state 
plus some constant c G Z. In this paper, we argue that the 
complexity of imperative programs typically arises from counter 
increments and resets, which can be modeled naturally by 
difference constraints. We present the first practical algorithm for 
the analysis of difference constraint programs and describe how 
C programs can be abstracted to difference constraint programs. 
Our approach contributes to the field of automated complexity 
and (resource) bound analysis by enabling automated amortized 
complexity analysis for a new class of programs and providing 
a conceptually simple program model that relates invariant- and 
bound analysis. We demonstrate the effectiveness of our approach 
through a thorough experimental comparison on real world C 
code: our tool Loopus computes the complexity for considerably 
more functions in less time than related tools from the literature. 


I. Introduction 

Automated program analysis for inferring program complexity 
and (resource) bounds is a very active area of research. 
Amongst others, approaches have been developed for ana¬ 
lyzing functional programs QH, C# 113], C ISj, ||20|, ifT^ . 
Java in and Integer Transition Systems 14], Q, IfTOll . 
Difference constraints {DCs) have been introduced by Ben- 
Amram for termination analysis in 0, where they denote 
relational inequalities of the form x' < y + c, and describe 
that the value of x in the current state is at most the value 
of y in the previous state plus some constant c S Z. We call 
a program whose transitions are given by a set of difference 
constraints a difference constraint program (DCP). 

In this paper, we advocate the use of DCs for program 
complexity and (resource) bounds analysis. Our key insight 
is that DCs provide a natural abstraction of the standard 
manipulations of counters in imperative programs: counter 
increments/decrements x := x + c resp. resets x := y, can be 
modeled by the DCs x' < x + c resp. x' < y (see Section HVl 
on program abstraction). In contrast, previous approaches to 
bound analysis can model either only resets llT3l . l5l . Il20l . 141 . 
Q, m or increments M- For this reason, we are able to 
design a more powerful analysis: In Section Hl-AI we discuss 
that our approach achieves amortized analysis for a new class 
of programs. In Section III-BI we describe how our approach 
performs invariant analysis by means of bound analysis. 
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In this paper, we establish the practical usefulness of DCs 
for bound (and complexity) analysis of imperative programs: 
1) We propose the first algorithm for bound analysis of 
DCPs. Our algorithm is based on the dichotomy between 
increments and resets. 2) We develop appropriate techniques 
for abstracting C programs to DCPs: we describe how to 
extract norms (integer-valued expressions on the program 
state) from C programs and how to use them as variables in 
DCPs. We are not aware of any previous implementation of 
DCPs for termination or bound analysis. 3) We demonstrate 
the effectiveness of our approach through a thorough experi¬ 
mental evaluation. We present the first comparison of bound 
analysis tools on source code from real software projects (see 
Section |V]|. Our implementation performs significantly better 
in time and success rate. 

II. Motivation and Related Work 
A. Amortized Complexity Analysis 

Example 1 stated in Figure [T] is representative for a class of 
loops that we found in parsing and string matching routines 
during our experiments. In these loops the inner loop iterates 
over disjoint partitions of an array or string, where the partition 
sizes are determined by the program logic of the outer loop. 
For an illustration of this iteration scheme, we refer the reader 
to Example 3 stated in Appendix lAlwhich contains a snippet 
of the source code after which we have modeled Example 1. 
Example 1 has the linear complexity 2n, because the inner 
loop as well as the outer loop can be iterated at most n 
times (as argued in the next paragraph). However, previous 
approaches to bound analysis m, ia, i 2 Q], na, a, q, 
ca are only able to deduce that the inner loop can be 
iterated at most a quadratic number of times (with loop bound 
iff) by the following reasoning: (1) the outer loop can be 
iterated at most n times, (2) the inner loop can be iterated at 
most n times within one iteration of the outer loop (because 
the inner loop has a local loop bound p and p < n is an 
invariant), (3) the loop bound iff is obtained from (1) and (2) 
by multiplication. We note that inferring the linear complexity 
2n for Example 1, even though the inner loop can already be 
iterated n times within one iteration of the outer loop, is an 
instance of amortized complexity analysis M- 
In the following, we give an overview how our approach infers 
the linear complexity for Example 1: 

1. Program Abstraction. We abstract the program to a DCP 
over Z as shown in Figure [T] We discuss our algorithm for 
abstracting imperative programs to DCPs based on symbolic 






void foo(uint n) { 
int X = n; 

int r = 0; 

li while (x > 0) { 

X = X - 1 ; 

r = r + 1; 

h if(*) { 

int p = r; 

h while(p > 0) 

p—; 
r = 0; 

} 

h } } 



Example 1 


Complexity: TB{t^) + TB^ts) — n n — 2n 
abstracted DCP of Example 1 


lb 

I To = y' < ■. 


y <y I j 


- y' <y 

TOa, = 


foo(uint n, uint ml 
uint m2) { 
int y = n; 
int x; 
h if(*) 

X = ml; 
else 

X = m2 ; 

h while(y > 0) { 

Y—; 

X = X + 2; } 

int z = x; 

I 3 while (z > 0 ) 

z—; } 

Complexity: T6(ri) + TB{t 3 ) — max(mi, m 2 ) + 3n 


x' < ml 

x' < m2 ^ ^ y ^ 0, 

h = V <v - ^ 

I ^ x' < X 2 

\t2= Z <X\ 

I3 -^ le 

V 

_ z > 0, 

- z' < z-1 


Example 2 


abstracted DCP of Example 2 


Fig. 1. Running Examples, * denotes non-determinism (arising from conditions not modeled in the analysis) 


execution in Section |IV] 

2. Finding Local Bonnds. We identify p as a variable that 
limits the number of executions of transition t^: We have the 
guard p > 0 on Ta and p decreases on each execution of T 3 . 
We call p a local bound for Accordingly we identify x as 
a local bound for transitions ti,T 2 a, T 2 ;i, T 4 , T 5 . 

3. Bound Analysis. Our algorithm (stated in Section HID l 
computes transition bounds, i.e., (symbolic) upper bounds on 
the number of times program transitions can be executed, and 
variable bounds, i.e., (symbolic) upper bounds on variable val¬ 
ues. For both types of bounds, the main idea of our algorithm 
is to reason how much and how often the value of the local 
bound resp. the variable value may increase during program 
run. Our algorithm is based on a mutual recursion between 
variable bound analysis (“how much”, function FS(v)) and 
transition bound analysis (“how often”, function 

Next, we give an intuition how our algorithm computes 
transition bounds: Our algorithm computes TB{t) = n for 
T S {ti, r 2 a, 726 , 74; Ps} because the local bound x is initially 
set to n and never increased or reset. Our algorithm computes 
TB{t 3 ) (t 3 corresponds to the loop at ( 3 ) as follows: T 3 has 
local bound p; p is reset to r on T 2 a', our algorithm detects that 
before each execution of T 2 a, r is reset to 0 on either tq or T 4 , 
which we call the context under which T 2 a is executed; our 
algorithm establishes that between being reset and flowing into 
p the value of r can be incremented up to TB{ti) times by 1; 
our algorithm obtains T'S(ti) = n by a recursive call; finally, 
our algorithm calculates TB{Tf) = 0 + TB{ti) x 1 = n. We 
give an example for the mutual recursion between TB and 
VB in Section Hl-BI 

We contrast our approach for computing the loop bound of 
(3 of Example 1 with classical invariant analysis: Assume 
’c’ counting the number of inner loop iterations (i.e., c 
is initialized to 0 and incremented in the inner loop). For 
inferring c <— n through invariant analysis the invariant 
c + x + r <= n is needed for the outer loop, and the invariant 
c + a:+p <= n for the inner loop. Both relate 3 variables and 
cannot be expressed as (parametrized) octagons (e.g., mi). 
Further, the expressions c + x -\- r and c + a; -|- p do not 
appear in the program, which is challenging for template based 
approaches to invariant analysis. 


B. Invariants and Bound Analysis 

We explain on Example 2 in Figure [T] how our approach 
performs invariant analysis by means of bound analysis. We 
first motivate the importance of invariant analysis for bound 
analysis. It is easy to infer cc as a bound for the possible 
number of iterations of the loop at (3. However, in order to 
obtain a bound in the function parameters the difficulty lies 
in finding an invariant x < expr(n, mi, 1712 )- Here, the most 
precise invariant x < max(mi, 7712 ) -b 2n cannot be computed 
by standard abstract domains such as octagon or polyhedra: 
these domains are convex and cannot express non-convex 
relations such as maximum. The most precise approximation of 
X in the polyhedra domain is a: < mi+m2+2n. Unfortunately, 
it is well-known that the polyhedra abstract domain does not 
scale to larger programs and needs to rely on heuristics for 
termination. Next, we explain how our approach computes 
invariants using bound analysis and discuss how our reasoning 
is substantially different from invariant analysis by abstract 
interpretation. 

Our algorithm computes a transition bound for the loop at 
(3 by TB{t 3 ) = TB{t 2 ) X VB{x) = 1 x VB{x) = 
VB{x) = TB{ti) X 2 + max(mi,m 2 ) = (n x TB{tq)) x 
2 -b max(mi,TO 2 ) = (n x 1) x 2 -b max(mi,m 2 ) = 2 n -b 
max(mi,m 2 ). We point out the mutual recursion between 
TB and VB: TB{t 3 ) has called VB{x), which in turn 
called TB{ti). We highlight that the variable bound VB{x) 
(corresponding to the invariant x < max(mi,m 2 ) + 2 n) has 
been established during the computation of TB{t 3 ). 

Standard abstract domains such as octagon or polyhedra 
propagate information/orwanf until a fixed point is reached, 
greedily computing all possible invariants expressible in the 
abstract domain at every location of the program. In contrast, 
VB{x) infers the invariant x < max(ml, m2) -b 2n by 
modular reasoning: local information about the program (i.e., 
increments/resets of variables, local bounds of transitions) is 
combined to a global program property. Moreover, our variable 
and transition bound analysis is demand-driven: our algorithm 
performs only those recursive calls that are indeed needed 
to derive the desired bound. We believe that our analysis 
complements existing techniques for invariant analysis and 
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will find applications outside of bound analysis. 

C. Related Work 

In a it is shown that termination of DCPs is undecidable 
in general but decidable for the natural syntactic subclass of 
deterministic DCPs (see Definition a, which is the class of 
DCPs we use in this paper. It is an open question for future 
work whether there is a complete algorithm for bound analysis 
of deterministic DCPs. 

In Qa a bound analysis based on constraints of the form 
x' < x + c is proposed, where c is either an integer or a 
symbolic constant. The resulting abstract program model is 
strictly less powerful than DCPs. In Il20ll a bound analysis 
based on so-called size-change constraints x' <iy is proposed, 
where < £ {<,<}• Size-change constraints form a strict syn¬ 
tactic subclass of DCs. However, termination is decidable even 
for non-deterministic size-change programs and a complete 
algorithm for deciding the complexity of size-change programs 
has been developed ||9|- Because the constraints in ll 20 l , ifTbl 
are less expressive than DCs, the resulting bound analyses 
cannot infer the linear complexity of Example 1 and need to 
rely on external techniques for invariant analysis. 

In Section |V] we compare our implementation against the 
most recent approaches to automated complexity analysis ifTOll . 
fTl . fTb). IfTOll extends the COSTA approach by control flow 
refinement for cost equations and a better support for multi¬ 
dimensional ranking functions. The COSTA project (e.g. HI) 
computes resource bounds by inferring an upper bound on 
the solutions of certain recurrence equations (so-called cost 
equations) relying on external techniques for invariant analysis 
(which are not explicitly discussed). The bound analysis in I?) 
uses approaches for computing polynomial ranking functions 
from the literature to derive bounds for SCCs in isolation 
and then expresses these bounds in terms of the function 
parameters using invariant analysis (see next paragraph). 

The powerful idea of expressing locally computed loop bounds 
in terms of the function parameters by alternating between 
loop bound analysis and variable upper bound analysis has 
been explored in ||71, ifTbl (as discussed in the extended ver¬ 
sion ini) and m. We highlight some important differences 
to these earlier works. 0 computes upper bound invariants 
only for the absolute values of variables; this does, for 
example, not allow to distinguish between variable increments 
and decrements during the analysis. ini and lEl do not give 
a general algorithm but deal with specific cases. 
ifTOl discusses automatic parallelization of loop iterations; the 
approach builds on summarizing inner loops by multiplying 
the increment of a variable on a single iteration of a loop 
with the loop bound. The loop bounds in lfT9l are restricted 
to simple syntactic patterns. 

The recent paper discusses an interesting alternative for 
amortized complexity analysis of imperative programs: A 
system of linear inequalities is derived using Hoare-style 
proof-rules. Solutions to the system represent valid linear 
resource bounds. Interestingly, jS] is able to compute the linear 
bound for Z 3 of Example 1 but fails to deduce the bound for 
the original source code (provided in Appendix lAll. Moreover. 


i) is restricted to linear bounds, while our approach derives 
polynomial bounds (e.g.. Example B in Eigure |2|i which 
may also involve the maximum operator. An experimental 
comparison was not possible as i) was developed in parallel. 

III. Program Model and Algorithm 

In this section we present our algorithm for computing worst- 
case upper bounds on the number of executions of a given 
transition (transition bound) and on the value of a given 
variable (variable bound). We base our algorithm on the 
abstract program model of DCPs stated in Definition [3 In 
Section UlI-BI we generalize DCPs and our algorithm to the 
non-well-founded domain Z. 

Definition 1 (Variables, Symbolic Constants, Atoms). By V 
we denote a finite set of Variables. By C we denote a finite set 
of symbolic constants. .4 = V U C U N is the set of atoms. 

Definition 2 (Difference Constraints). A difference constraint 
over A is an inequality of form x' <y-\-c with x £V, y & A 
and c £ Z. We denote by DC (.4) the set of all difference 
constraints over A 

Definition 3 (Difference Constraint Program). A difference 
constraint program (DCP) over A is a directed labeled graph 
AP — {L, T, 4, Iff), where L is a finite set of locations, lb & L 
is the entry location, If, G L is the exit location and T C 
L X X L is a finite set of transitions. We write li ^ I 2 to 

denote a transition (li, u, If) £ T labeled by a set of difference 
constraints u £ Given a transition t — li ^ I 2 & T 

of AV we call li the source location of t and I2 the target 
location of r. A path of AV is a sequence Iq • ■ • 

with li —A Zi+i £ T for all i. The set of valuations of A is 
the set Val^ = A ^ N of mappings from A to the natural 
numbers with a(a) = a if a G N. A run of AV is a sequence 
{lb,(rf) ((ijCTi) ••• such that lb li is 

a path of AV and for all i it holds that (1) at £ Valj\^, (2) 
(Ti+i(x) < ai{y)-\-cfor all x' <y cGUi, (3) ufis) = (To(s) 
for all s G C. Given v £ V and I G L we say that v is 
defined at I and write v £ D{1) if I f lb and for all incoming 
transitions Zi —> Z £ T of I it holds that there are a £ .4 and 
c £ Z s.t. v' < a -b c £ u. 

AV is deterministic (fan-in-free in the terminology of 1^), if 
for every transition h ^ I 2 G T and every v £ V there is at 
most one a £ .4 and c Gh s.t. sr' < a + c G u. 

Our approach assumes the given DCP to be deterministic. 
We further assume that DCPs are well-defined: Let v £ V 
and Z £ L, if V is live at Z then v £ D{1). Our abstraction 
algorithm from Section |IV] generates only deterministic and 
well-defined DCPs. 

In Definitions l4l to fTTI we assume a DCP AV{L, T, lb, Ig) over 
A to be given. 

Definition 4 (Transition Bound). Let t G T, t is bounded 
iff T appears a finite number of times on any run of AV. An 
expression expr over CCh is a transition bound/or t iff t is 
bounded and for any finite run p = (Zf,,CTo) (Zi,tTi) 
(^ 2 ,o' 2 ) —> ...{le,an) of AV it holds that r appears not 
more than cro(expr) often on p. We say that a transition bound 
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(A) = 

Ti = T 

i' <i-l d Zi p 
0 '<J + 1 I 

le 


if < n 
jf < 0 
T 2 = 

2 < 2 
j' < i - 1 


(B) 




To = 


if < n 
Jf < 0 
If < n 


Tl = 

i' <i-l 

f < j 

i' < I 
k' < k + l 


\ t 


d I 


< 

T2 =f < fc 
I' <1-1 
k' < k 


1) \,< 


fc/ < 0 

i' < i 

f < i - 1 

i' < i 
k' <k 


(C) 


T3 = 

2 ' < 2 - 1 
r' < 0 


k 



W * k 

{ 

h 

) i' < i 

j.' j. 


it < i 
r < r 
k' < r 


■^2 = fc' < fe - 1 


Complexity: TB{ti) + TB{t 2 ) = 2 n 
^ : {to !->■ 1, Tl !->■ i, T2 !->• j} 

TB(ri) = n, TB(t 2 ) = n 


Complexity: TB{ti) + TB{t 2 ) + TB{tz) = 2 n + 
f : {to 1 , Tl !->■ i, T2 1-^ Z, T3 !->■{} 

TB(ti) = n, TB{t 2 ) = n, TB{t 3 ) = 


Complexity: TB(t 2 ) + TB{t 3 ) = 2 n 
C ■ {"^0 I— > 1 , Tl l—>■ i, T3 I—T2 I— > k} 

Def .|3 TB(ti) = n, TB(t 2 ) = TB{t 3 ) = n 
Def.QT] TB{ti) = n, TB{t 2 ) = n, TB(t 3 ) = n 


Fig. 2 . Example DCF’s (A), (B), (C) 


expr of T is precise iff there is a run p of AV s.t. r appears 
(To(expr) times on p. 

We want to infer the complexity of the examples in Figure |2] 
(Examples A, B, C), i.e., we want to infer how often location 
1 1 can be visited during an execution of the program. We 
will do so by computing a bound on the number of times 
transitions tq, ti, T 2 and T 3 may be executed. In general, the 
complexity of a given program can be inferred by summing 
up the transition bounds for the back edges in the program. 

Definition 5 (Counter Notation). Let t £ T and v C V. Let 
p = {lb, (To) ^ {li,cri) ^ ■■■{le,<Tn) be a finite run of 
AV. By \){t,p) we denote the number of times that r occurs 
on p. By {,(v, p) we denote the number of times that the value 
of V decreases on p, i.e. ),(v,p) = |{i | ai{v) > cri+i(v)}|. 

Definition 6 (Local Transition Bound). Let t £ T and v £V. 
V is a local bound/or r iff on all finite runs p = (^do) 

{h, ai) • • ■ {le, (Jn) of AV it holds that {((r, p) < {,(v, p). 
We call a complete mapping (^:T—>VU{7}a local bound 
mapping/or AV if C{t) is a local bound of t or ({t) = 1 
and T can only appear at most once on any path of AV. 

Example A: * is a local bound for ti, j is a local bound for 
T 2 . Example C: i is a local bound for ti and for T 3 . 

A variable v is a local transition bound if on any run of AV 
we can traverse r not more often than the number of times the 
value of V decreases. I.e., a local bound v limits the potential 
number of executions of r as long as the value of v does 
not increase. In our analysis, local transition bounds play the 
role of potential functions in classical amortized complexity 
analysis ca. Our bound algorithm is based on a mapping 
which assigns each transition a local bound. We discuss how 
we find local bounds in Section IIII-CI 

Definition 7 (Variable Bound). An expression expr over CUZ 
is a variable bound for v £ V iff for any finite run p = 
{lb. To) ^ {h,cri) ^ (^ 2 , 0 - 2 ) ...{le,(Tn) of AV and 

all 1 < i < n with v £ T>{li) it holds that afiv) < (To(expr). 

Let V G V. Our algorithm is based on a syntactic distinction 
between transitions which increment v or reset v. 


Definition 8 (Resets and Increments). Let v £V. We define 
the resets 7^(v) and increments I(v) o/v as follows: 
f^{^) — {(^1 ^ ( 2 , a, c) G T X .4 X Z I 

v' < a + c G M, a / v} 

^i'^) = {(^1 ^ ^ 2 , c) G T X Z I v' < V + c G u, c > 0} 

Given a path tt of AV we say that v is reset on tt if there 
is a transition t on tt such that (r, a, c) G 7^(v) for some 
a G .4 and c G Z. 

Example B: X{k) = {(ri,l)} and Tl{k) = {(ro,n, 0)}. 

I.e., we have (r, a, c) G 7^(v) if variable v is reset to a value 
< a+c when executing the transition r. Accordingly we have 
(t, c) G Z(v) if variable v is incremented by a value < c when 
executing the transition r. 

Our algorithm in Definition |9] is build on a mutual recursion 
between the two functions VB{v) and TB{t), where VB{v) 
infers a variable bound for v and TB{t) infers a transition 
bound for the transition t. 

Definition 9 (Bound Algorithm). Let ( : T ^ V U {1} be a 
local bound mapping/or AV. We define VB : A Expr{A) 
and TB : T i-£ Expr {A) as: 

VB{a) = a, if a. £ A\V, else 

LS(v) = Incr(v) + max (LS(a) + c) 

(_ 5 a,c)e 7 ^(v) 

TB{t) = 1, if C{t) = 1, else 
TB{t) = Incr(C(r)) 

+ ^ rS(t) X max( LB(a) + c, 0) 

(t,a,c)GF(C(T)) 

where 

Incr(v) = ^ TB{t) x c (Incr(v) = 0forl{v) = 0) 

(t,c)GI(v) 

Discussion: We first explain the subroutine Incr(v); With 
(t, c) G Z(v) we have that a single execution of r increments 
the value of v by not more than c. Incr(v) multiplies the 
transition bound of r with the increment c for summarizing 
the total amount by which v may be incremented over all 
executions of r. Incr(v) thus computes a bound on the total 
amount by which the value of v may be incremented during 
a program run. 

The function VB{v) computes a variable bound for v: After 
executing a reset transition (r, a, c) G 'R.{v), the value of v is 
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bounded by yS(a) + c. As long as v is not reset, its value 
cannot increase by more than Incr(v). 

The function TB{t) computes a transition bound for r based 
on the following reasoning; (1) The total amount by which 
the local bound C,{t) of transition r can be incremented is 
bounded by Incr(C(T)). (2) We consider a reset (t,a, c) € 
72 .(C(t)); in the worst case, a single execution of t resets the 
local bound C(t) to VB{a) + c, adding max(l/S(a) + c,0) 
to the potential number of executions of t; in total all TB{t) 
possible executions of t add up to ^^(t) xmax( Fi3(a)+c, 0 ) 
to the potential number of executions of t. 

Example A, ( as defined in Figure |2l j is reset to 0 on tq and 
incremented by 1 on ti. i is reset to n on tq. Our algorithm 
computes TB{t 2 ) = TB{ti) x 1 + TB{tq) x 0 = TB(ti) = 
TB{tq) X n = n. Thus the overall complexity of Example A 
is inferred by TB{ti) + TB{t 2 ) = 2n. 

Example B, ( as defined in Figure | 2 ] i and I are reset to n on 
Tq. Our algorithm computes TB{ti) = TB(tq) x n = n and 
TB{t2) = TB{tq) X n = n. j is reset to 0 on tq and reset 
to fc on T 2 . Our algorithm computes TB{tq) = TB{tq)xQ + 
TB{t2) X VB(k). Since k is reset to 0 on tq and incremented 
by 1 on Ti, our algorithm computes VB{k) = TB{ti) x 1 = 
n X 1 = n. Thus TB{tq) — TB{t2) x VB{k) = n x n = 
n^. Thus the overall complexity of Example B is inferred by 
TB(ti) + TB{t2) + TB{tq) = n n + v^ = 2 n + n^. 
Example 2 (Figure [B: C = {to,to^,to^,T2 l,ri M- 
y,T 3 ^ z}, n{z) = {(r 2 ,x, 0 )}, I(x) = {(ri, 2 )}, n{x) = 
{{Toa,ml,0),{Tob,m2,0)}, 7^(y) = {(To,n, 0)}. We have 
stated the computation of TB{tq) in Section Hl-BI 
Termination: Our algorithm does not terminate if recursive 
calls cycle, i.e., if a call to TB{t) resp. VB{v) (indirectly) 
leads to a recursive call to TB{t) resp. VB(v). This can be 
easily detected, we return the value _L (undefined). 

Theorem 1 (Soundness). Let AT’{L,T,lb,le) be a well- 
defined and deterministic DCP over atoms A, C '■ T 
V U {1} be a local bound mapping/or AV, v S V and t &T. 
Either TBir) = _L or TB{t) is a transition bound/or r. 
Either VB{v) = _L or VB{v) is a variable bound/or v. 


A. Context-Sensitive Bound Analysis 

So far our algorithm reasons about resets occurring on single 
transitions. In this section we increase the precision of our 
analysis by exploiting the context under which resets are 
executed through a refined notion of resets and increments. 


Definition 10 (Reset Graph). The Reset Graph for AV 
is the graph Q{A,£) with £ C A x T x 7^ x V s.t. 
£ = {(x,r, c,y) | (r, j/, c) G 7^(x)}. We call a finite path 
K = a„ a„_i ... SLQ in Q with n > 0 a reset 


path of AV. We define in{K) = a„, c(k) = ^ Ci, tm^n) = 

i—1 

... ,Ti}, and atmA) = {a„, a„_i..., oq}. k is 
sound if for all 1 < i < n it holds that a^ is reset on all 
paths from the target location of ti to the source location of 
Ti in AV. K is optimal if k is sound and there is no sound 
reset path k s.t. k is a suffix of k, i.e., k = a„_|_fe 

Tn + fe-l iCn + fc-l Tn.Cn 

^n+fc —1 ^ 3-n —1 ^ ■ • ■ 3-0 


n 0 

j To I To 

i j 
Q{A) 


n ^ 1 

T 0 \ 

0 n 

TO , .TO 

T3\ / \ 

To * 

0 — A: 

\^0 1 

\ 1^2 

r i 

|ti 

k 

j 


Q{B) 

G(C) 


Fig. 3. Reset Graphs, increments by 0 are not depicted 


0 0 
T4\^ jTo 

n r 
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with fc > 1. Let V gV, by 9I(v) we denote the set of optimal 
reset paths ending in v. 

We explain the notions sound and optimal in the course of 
the following discussion. Figure [B shows the reset graphs 
of Examples A, B, C and Example 1 from Figure [T] For a 
given reset (r, a, c) G V{v), the reset graph determines which 
atom flows into variable v under which context. For example, 
consider Q(C): When executing the reset (ri,r, 0) G TZ{k) 
under the context tq. A: is set to 0 , if the same reset is executed 
under the context tq, k is set to n. Note that the reset graph 
does not represent increments of variables. We discuss how 
we handle increments below. 

We assume that the reset graph is a DAG. We can always 
force the reset graph to be a DAG by abstracting the DCP: 
we remove all program variables which have cycles in the 
reset graph and all variables whose values depend on these 
variables. Note that if the reset graph is a DAG, the set 9I(v) 
is finite for all v G V. 

Fet V G V. Given a reset path k of length k that ends 
in V, we say that {trn{K), in{K), c{k)) is a reset of v with 
context of length fc — 1. I.e., TZ{v) from Definition [ 8 ] is the 
set of context-free resets of v (context of length 0 ), because 
{trn{K), in{K), c(k)) G V(v) iff k ends in v and has length 
1. Our algorithm from Definition |9] reasons context free since 
it uses only context-free resets. 

Consider Example C. The precise bound for T 2 is n because we 
can iterate T 2 only in the first iteration of the loop at li since r 
is reset to 0 on ra. But when reasoning context-free, our algo¬ 
rithm infers a quadratic bound for T 2 : We assume C, to be given 
as stated in Figure |2] In Q{C) k = r > k is the only reset 
path of length 1 ending in k. Thus TZ{k) = {(Ti,r, 0)}. Our 
algorithm from Definition |9] computes: TB{ti) = TB{tq) x 
n = n, VB{r) = TB{tq) x n TB{tq) x 0 = n, 
TB{t 2 ) = TB{ti) X VB{r) = n xn = vf. 

We show how our algorithm infers the linear bound for T 2 
when using resets with context: If we consider k with contexts, 

we get Ki = 0 -r - k and K 2 = n - r - > k. 

Note that ki and K 2 are sound by Definition [TO] because r is 
reset on all paths from the target location I 2 of ri to the source 
location li of ti in Example C (namely on T 3 ). Thus A{k) = 
{({"fa, Ti}, 0, 0), ({tq, Ti}, n, 0)}. We can compute a bound on 
the number of times that a sequence ti , r 2 ,... t„ of transitions 
may occur on a run by computing min T'S(ri). Thus, basing 

l<i<n 

our analysis on rather than TZ{k) we compute: TB{t 2 ) = 
min(TB(r 3 ), TB{ti)) x 0 -f min(^^(ro), TB{ti)) x n = 
min(n, 1) x n = n. 
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We have demonstrated that our analysis gains precision when 
adding context to our notion of resets. It is, however, not sound 
to base the analysis on maximal reset paths (i.e., resets with 
maximal context) only; Consider Example B with as stated 
in Figure |2] There are 2 maximal reset paths ending in j (see 
Q{B))\ Ki = 0 j and K 2 — 0 k j. Thus 
= {({'fo, ^- 2 }, 0 , 0 ), ({tq}, 0 , 0 )} is the set of resets of 
j with maximal context. Using rather than TZ{j) our 

algorithm computes: TB{t 3 ) = min(TS(ro), TB(t 2 )) x 0 + 
TB{tq) X 0 + TB{ti) X 1 = TB{ti) x 1 = n, but n is not a 
transition bound for T 3 . The reasoning is unsound because K 2 
is unsound by Definition [Tol k is not reset on all paths from 
the target location li of T 2 to the source location li of T 2 in 
Example B; e.g., the path T 2 = li li of Example B does 
not reset k. 

We base our context sensitive algorithm on the set lH(v) of 
optimal reset paths. The optimal reset paths are those that are 
maximal within the sound reset paths (Definition fTOll. 

Definition 11 (Bound Algorithm with Context). Let ( : 

T — V yj {1} be a local bound mapping for ISP. Let 
VB A ^ Expr{A) be as defined in Definition |9] We 
override the definition of TB :T 1 -^ Expr{A) in Definition^ 
by stating: 

TB{t) = 1 if C,{t) =1 else 

TB{t) = TB{trn{K)) X max{ VB{in{K)) + c{k),0) 

«e3t(c(r)) 

+ E Incr(a) 

atm{K,) 

where 

T 6 ({ti,T 2 , ... ,rn}) = min TB{Ti) 

l<i<n 

Discussion and Example: The main difference to the definition 
of TB{t) in Definition |9] is that the term Incr(C(T)) is 
replaced by the term E Incr(a). Consider the abstracted 

atm{K) 

DGP of Example 1 in Figure [T] We have discussed in 
Section III-AI that r may be incremented on ti between 
the reset of r to 0 on tq resp. T 4 and the reset of p to 
r on T 2 o. The term E Incr(a) takes care of such 

a^ atm{K) 

increments which may increase the value that finally flows 
into C(t) (in the example p) when the last transition on k 
(in the example T 2 a) is executed; We use the local bound 
mapping ( = {tq i->- l,ri x,T 2 a x,T 2 b i-)- x,T 4 i-)- 
x,T 5 I— x,T 3 I— p} for Example 1. The reset graph of 
Example 1 is shown in Figure |3 We have lH(p) = {0 
r —^ p, 0 r —^ p}. Thus our algorithm computes 
TB{t 3 ) = E T'S(frn(K))xmax(U6(m(«;)) + c(«;),0) + 

E Incr(a) = TB{{To,T 2 a}) x max(U6(0),0) + 

aGatm(/^) 

Incr(r) + TB({T4,T2a}) X max(UB(0),0) + Incr(r) = 

2 X Incr(r) = 2 x TB(ti) x 1 = 2 x n (with TB{ti) = n). 
Complexity: In theory there can be exponentially many resets 
in 91(v). In our experiments this never occurred, enumeration 
of (optimal) reset paths did not affect performance. 

Further Optimization: We have shown in Section HI] that 
transitions T 3 of Example 1 has a linear bound, precisely 
n. The Bound 2n that is computed by our bound algorithm 


from Definition [TT] is linear but not precise. We compute 
2 n because r appears on both reset paths of p and therefore 
Incr(r) = n is added twice. However, there is only one 
transition (T 2 a) on which p is reset to r and between any 
two executions of T 2 a r will be reset to 0. For this reason 
each increment of r can only contribute once to the increase 
of the local bound p of T3, and not twice. We thus suggest 
to further optimize our algorithm from Definition [TT] by 
distinguishing if there is more than one way how a G atm{K) 
may flow into the target variable of k or not. We divide 
atm{K) into two disjoint sets atm 2 {ri) = {a € atm{K) \ 
more than 1 path from a to target variable of k in 0{A'P)}, 

= atm{K) \ atm 2 {K). We define 

TB{t) = ( E Incr(a)) + 

U atmi{K) 

^eoTCCC-r)) 

E TB{trn{K)) x max(US(m(K)) + c(k),0) 

«eOT(C(r)) 

+ E Incr(a) 

aGotm.2(K) 

for C(t) ^ 1. Note that for Example 1 atmi{K) = {r} and 
atm 2 {K) = 0 for both k G lH(p). Therefore TB{t 3 ) = I(r) = 
n with the optimization. 

Theorem 2 (Soundness of Bound Algorithm with Context). 
Let A'P{L, T, lb, le) be a well-defined and deterministic DCP 
over atoms A, C ■ T 1 -^ V LI {1} be a local bound mapping/or 
AP, V € V and t GT. Let TB{t) and VB{a) be defined as 
in Definition 1771 Either TB{t) = _L or TB{t) is a transition 
bound/or r. Either VBfj) = ± or VB{v) is a variable bound 
for V. 

B. DCPs over non-well-founded domains 
In real world code, many data types are not well-founded. The 
abstraction of a concrete program is much simpler and more 
information is kept if the abstract program model is not limited 
to a well-founded domain. Below we extend our program 
model from Definition [3to the non-well-founded domain Z by 
adding guards to the transitions in the program. Interestingly 
our bound algorithm from Definition |9| resp. Definition [TT] 
remains sound for the extended program model, if we adjust 
our notion of a local transition bound (Definition [T^. 

We extend the range of the valuations Valji, of A from N 
to Z and allow constants to be integers, i.e., we define A = 
VUCUZ. We extend Definition [3 as follows; The transitions T 
of a guarded DCP AP{L, T, lb, 4) are a subset of L x 2^ x 
2 DC{A) xL. a sequence ( 4 , of) ( 4 , of ■ ■ ■ is a 

run of AV if it meets the conditions required in Definition [3] 
and additionally Oi{x) > 0 holds for all x G gi- For examples 
see Figure [T] 

Definition 12 (Local Transition Bound for DCPs with 
guards). Let AP{L, T, f, 4) be a DGP with guards over A. 
Let T GT and v G V. v is a local bound/or r if for all finite 
runs p= (lb,of (li,oi) ■•■(le,On) of AV it holds 
that jl(T, p) < 4.(max(v, 0), p). 

The algorithms in Sections IIII-CI and [IV] are based on the 
extended program model over Z, it is straightforward to adjust 
them for DCPs without guards. 
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C. Determining Local Bounds 

We call a path of a DCP A'P{L,T,li,,le) simple and cyclic 
if it has the same start- and end-location and does not visit a 
location twice except for the start- and end-location. Given a 
transition r £ T we assign it v £ V as local bound if for all 
simple and cyclic paths ir = li I 2 ...In (In = h) 

of AV that traverse t it holds that (1) 30 < z < n s.t. v € gi 
and (2) 30 < z < n s.t. v' < v -f c £ zzz for some c < 0 . Our 
implementation avoids an explicit enumeration of the simple 
and cyclic paths of AV by a simple data flow analysis. 

IV. Program Abstraction 

In this section we present our concrete program model and 
discuss how we abstract a given program to a DCP. 

Definition 13 (Program). Let A, be a set of states. The set of 
transition relations T = 2^^^ is the set of relations over S. A 
program is a directed labeled graph V — (L, E, /{,, C), where 
L is a finite set of locations, 4 S A is the entry location, 
Ig G L is the exit location and ECLxTxL is a finite set of 
transitions. We write 4 A- 4 to denote a transition (Zi,p,4)- 
A norm e G A ^ Z is a function that maps the states to the 
integers. 

Programs are labeled transition systems over some set of 
states, where each transition is labeled by a transition relation 
that describes how the state changes along the transition. Note, 
that a DCP (Definition [3) is a program by Definition [T3] 

Definition 14 (Transition Invariants). Let ei, 62,63 £ S —Z 
be norms, and let c G Z be some integer. We say e\ < 62 - 1-63 
is invariant for 4 A I 2 , 1 / 61 ( 32 ) < 62 ( 31 ) + 63 ( 31 ) holds for 
all ( 31 , 32 ) £ p. We say ei > 0 is invariant for 4 A 4, if 
61 ( 31 ) > 0 holds for all ( 31 , 32 ) £ p. 

Definition 15 (Abstraction of a Program). Let V = 
(L, E, Zf,, Ig) o program and let N be a finite set of norms. 
A DCP AV = (L, E'with atoms N is an abstraction 
of the program V ijf for each transition h -G I 2 G E there 
is a transition li -^^A I 2 G E' s.t. every < 62 -f c £ zz is 
invariant for li —¥ I 2 and for every ei G g it holds that ei > 0 
is invariant for li A I 2 . 

We propose to abstract a program V = (L, E, lb, Ig) to a DCP 
AV = {L,E',lb,lg) as follows: Let N be some initial set of 
norms. 

1 ) For each transition Zi A Z 2 S E we generate a set of 
difference constraints a{p): Initially we set a{p) =0 for all 
transitions li A ( 2 - We then repeat the following construction 
until the set of norms N becomes stable: For each ei G N and 
h I 2 G E we check whether there is a difference constraint 
of form e\ < e 2 -l-c for ei in a(p'). If not, we try to And a norm 
62 (possibly not yet in A) and a constant c £ Z s.t. < e2-l-c 
is invariant for p. If we And appropriate 62 and c, we add 
61 < 62 -l-c to a{p) and 62 to N. I.e., our transition abstraction 
algorithm performs a fixed point computation which might not 
terminate if new terms keep being added (see discussion in 
next section). 

2 ) For each transition li A I 2 we generate a set of guards 


G(p): Initially we set G{p) = 0 for all transitions li A I 2 . 
For each e G N and each transition li A I 2 we check if 6 > 0 
is invariant for li A I 2 . If so, we add e to G(p). 

3 ) We set E' = {h | 4 A Za € E}. 

In the following we discuss how we implement the above 
sketched abstraction algorithm. 

A. Implementation 

0. Guessing the initial set of Norms.: We aim at creating 
a suitable abstract program for bound analysis. In our non¬ 
recursive setting, complexity evolves from iterating loops. 
Therefore we search for expressions which limit the number 
of loop iterations. For this purpose we consider conditions of 
form a > b resp. a > h found in loop headers or on loop- 
paths if they involve loop counter variables, i.e., variables 
which are incremented and/or decremented inside the loop. 
Such conditions are likely to limit the consecutive execution 
of single or multiple loop-paths. From each such condition we 
form the integer expression b — a and add it to our initial set 
of norms. Note that on those transitions on which a > b holds, 
b — a > 0 must hold. 

1. Abstracting Transitions.: For a given norm e G N 
and a transition li A I 2 we derive a transition predicate 
e' < 62 -f c £ a{p) as follows: We symbolically execute p 
for deriving e' from e. In order to keep the number of norms 
low, we first try 

i) to And a norm 62 £ A s.t. e' < 62 + 63 is invariant for 
p where 63 is some integer valued expression. If 63 = c 
for some integer c £ Z we derive the transition predicate 
e' < 62 3 - c. Else we use our bound algorithm (Section HIHi for 
over-approximating 63 by a constant expression fc > 63 and 
infer the transition predicate e' < 62 3 - fc where we consider 
fc to be a symbolic constant. 

ii) If i) fails, we form a norm 64 s.t. e' < 64 3- c by separating 
constant parts in the expression e' using associativity and 
commutativity of the addition operator. E.g., given c' = v 3- 5 
we set 64 = V and c — 5 . We add 64 to A and derive the 
predicate e' < 64 3 - c. 

Since case ii) triggers a recursive abstraction for the newly 
added norm we have to ensure the termination of our abstrac¬ 
tion procedure: Note that we can always stop the abstraction 
process at any point, getting a sound abstraction of the original 
program. We therefore enforce termination of the abstraction 
algorithm by limiting the chain of recursive abstraction steps 
triggered by entering case ii) above: In case this limit is 
exceeded we remove all norms from the abstract program 
which form part of the limit exceeding chain of recursive 
abstraction steps. This also ensures well-deflnedness of the 
resulting abstract program. 

Eurther note that the DCPs generated by our algorithm are 
always deterministic: Eor each transition, we get at most one 
predicate 6' < 62 3- c for each e G N. 

2. Inferring Guards: Given a transition Zi A Z2 and a norm 
6, we use an SMT solver to check whether 6 > 0 is invariant 
for li A (2. If so, we add e to G{p). 

Non-linear Iterations.: We handle counter updates such as 
x' = 2x or x' = X12 as discussed in ifThl . 
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Fig. 4. Tool Results on analyzing the complexity of 1659 functions in the 
cBench benchmark, none of the tools infers log bounds. 


V. Experiments 

Implementation: We have implemented the presented algo¬ 
rithm into our tool Loopus |[T|. Loopus reads in the LLVM ITSl 
intermediate representation and performs an intra-procedural 
analysis. It is capable of computing bounds for loops as well 
as analyzing the complexity of non-recursive functions. 
Experimental Setup: For our experimental comparison we 
used the program and compiler optimization benchmark Col¬ 
lective Benchmark m (cBench), which contains a total of 
1027 different C files (after removing code duplicates) with 
211.892 lines of code. In contrast to our earlier work we 
did not perform a loop bound analysis but a complexity 
analysis on function level. We set up the first comparison of 
complexity analysis tools on real world code. For comparing 
our new tool (Foopus’15) we chose the 3 most promising 
tools from recent publications: the tool KoAT implementing 
the approach of G], the tool CoFloCo implementing GO) 
and our own earlier implementation (Foopus’14) ifThl . Note 
that we compared against the most recent versions of KoAT 
and CoFloCo (download 01/23/15)0 The experiments were 
performed on a Finux system with an Intel dual-core 3.2 
GHz processor and 16 GB memory. We used the following 
experimental set up: 

1) We compiled all 1027 C files in the benchmark into the 
llvm intermediate representation using clang. 

2) We extracted all 1751 functions which contain at least one 
loop using the tool llvm-extract (comes with the llvm tool 
suite). Extracting the functions to single files guarantees an 
intra-procedural setting for all tools. 

3) We used the tool llvm2kittel ||3l to translate the 1751 llvm 
modules into 1751 text files in the Integer Transition System 
(ITS) format read in by KoAT. 

4) We used the transformation described in IfTOl to translate 
the ITS format of KoAT into the ITS format of CoFloCo. 
This last step is necessary because there exists no direct way 
of translating C or the llvm intermediate representation into 
the CoFloCo input format. 

5) We decided to exclude the 91 recursive functions in the set 
because we were not able to run CoFloCo on these examples 
(the transformation tool does not support recursion), KoAT 
was not successful on any of them and Foopus does not 
support recursion. 

In total our example set thus comprises 1659 functions. 
Evaluation: Table |4] shows the results of the 4 tools on our 
benchmark using a time out of 60 seconds. The first col¬ 
umn shows the number of functions which were successfully 
bounded by the respective tool, the last column shows the 
number of time outs, on the remaining examples (not shown 
in the table) the respective tool did not time out but was also 

'https://github.com/s-falke/kittel-koat, https://github.eom/aefiores/CoEloCo 


not able compute a bound. The column Time shows the total 
time used by the tool to process the benchmark. Foopus’15 
computes the complexity for about twice as many functions 
as KoAT, CoFloCo and Foopus’ 14 while needing an order of 
magnitude less time than KoAT and CoFloCo and significantly 
less time than Foopus’14. We conclude that our approach is 
both scalable and more successful than existing approaches. 
Pointer and Shape Analysis: Even Foopus’15, computed 
bounds for only about half of the functions in the benchmark. 
Studying the benchmark code we concluded that for many 
functions pointer alias and/or shape analysis is needed for 
inferring functional complexity. In our experimental compar¬ 
ison such information was not available to the tools. Using 
optimistic (but unsound) assumptions on pointer aliasing and 
heap layout, our tool Foopus’15 was able to compute the 
complexity for in total 1185 out of the 1659 functions in the 
benchmark (using 28 minutes total time). 

Amortized Complexity: During our experiments, we found 
15 examples with an amortized complexity that could only 
be inferred by the approach presented in this paper. These 
examples and further experimental results can be found on fT] 
where our new tool is offered for download. 
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begin 


xnu(int len) { 

int beg,end,i = 0; 
li while (i < len) { 
i + +; 

h if (*) 

end = 1; 

I3 if (*) { 

int k = beg; 

Z4 while (k < end) 

k + +; 

end = i; 
beg = end; 

} 

h } 

} 


(a) Example 3 



(e — b)' < (e — 6) 
{i — b)' < (i — b) 
(I — i)' ^ {I — i) 


(e - b)' < 0; 
(z - b)' < 0; 
(Z - i)' < Z; 


(Z — z) >0 

(e — b)' < {e — b) 

(z -b)' < (i-b) 

(Z - z)' < (Z - z) - 1 


(e — b)' < (e — Z>) 
(z — b)' < {i — b) 
(I — < (Z — z 

(e-&)'<( 

(i - b)' 

\ii - d' < 



(e — b)' < (i — b) 
{i — b)' < (* — ^>) 
(I - i)' <{l-i) 


- k)' < (e-b) 

- b)' < {e-b) 

- b)' <{i-b) 

- i)' 


(e - 6)' < 0 
(i -b)' <0 
(/ — i)' (I — i) 

(e — k)' < (e — /c) — 1 



(b) LTS of Example 3 


(c) Abstracted DCP for Ex¬ 
ample 3 


Fig. 5. Example 3 shows the code after which we have modeled Example 1, * denotes non-determinism (arising from conditions not modeled in the analysis) 


Appendix 

A. Full Example 

Example 3 in Eigure |5] contains a snippet of the source 
code after which we have modeled Example 1 in Eigure [2 
Example 3 can be found in the SPEC CPU2006 benchmarlo 
in function XNU of 456.hmmer/src/masks.c. The outer loop 
in Example 3 partitions the interval [0, len] into disjoint 
sub-intervals \beg^end\. The inner loop iterates over the 
sub-intervals. Therefore the inner loop has an overall linear 
iteration count. Example 3 is a natural example for amortized 
complexity: Though a single visit to the inner loop can cost 
len (if beg = 0 and end = len), several visits can also 
not cost more than len since in each visit the loop iterates 
over a disjoint sub-interval. I.e., the total cost len of the 
inner loop is the amortized cost over all visits to the inner 
loop. To the best of our knowledge our new implementation 
Loopus’15 (available at HI) is the only tool that infers the 
linear complexity of Example 3 without user interaction. 

1) Abstraction: In Eigure |5] (b) the labeled transition system 
for Example 3 is shown. We discuss how our abstraction 
algorithm from Section |IV] abstracts the example to the DCP 
shown in Eigure |5](c). 

Our heuristics add the expressions I — i and e — k generated 
from the conditions k < e and i < I to the initial set of norms 
N. Thus our initial set of norms is N = {I — i,e — k}. 

• We check how I — i changes on the transitions 
PO, Pl,P 2 a, P 2 b, P 3 a,P 3 b, Pi, Pb, PC 
- pq: we derive {I — i)' < I (reset), we add I to N 

^https://www.spec.org/cpu2006/ 


- pi: we derive {l—i)' < {l—i) — l (negative increment) 

- P2a, P2b, P3a, Psb, Pi, Pb, PC I - i Unchanged 

• We check how I changes on the transitions 
PO, Pl,P2a, P2b, P 3 a, PSb, Pi, Pb, PC 

- unchanged on all transitions 

• We check how e — k changes on the transitions psa, Pi 
(k is only defined at I4): 

- P3a- we derive (e — k)' < (e — b) (reset), we add 
(e — b) to N 

- P4: we derive (e — k)' < (e — fc) — 1 (negative 
increment) 

• We check how e — b changes on the transitions 
PO, Pl,P2a, P2b, P 3 a, PSb, Pi, Pb, PC'- 

- po^ we derive (e — &)' < 0 (reset) 

- P2a- we derive (e — b)' < {i — b), we add (i — b) to 
N 

- PC- derive (e — &)' < 0 (reset) 

- Pi,P2b,P3a,P3b,Pi,PC- e-& unchanged 

• We check how i — b changes on the transitions 
PO, Pl,P2a, P2b, P 3 a, PSb, Pi, Pb, PC 

- Pq: we derive {i — h)'<{) (reset) 

- pi: we derive {i — h)'<{i — h) + l (increment) 

- P 5 : we derive {i — h)'<{) (reset) 

- P2a,P2b,P3a,P3b,Pi,PC- Unchanged 

• We have processed all norms in N 

We infer that pi |= (/ — *)> 0 and p4 \= {e — k) > 0. 

The resulting DCP is shown in Eigure ISjc). 

2 ) Bound Computation: We discuss how our bound algorithm 
from Section m infers the linear bound for the inner loop at 
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DCP for Example 3, variables renamed 
Fig. 6. 
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I 4 . For ease of readability, we state the abstracted DCP of 
Example 3 in Figure |6]renaming the variables by the following 
scheme: {p = (e —fc), q = (e—&), r = (i — b), x = (/—i)}. On 
the right hand side the reset graph is shown. Our Algorithm 
from Definition [TT] now computes a bound for the example by 
the following reasoning: 


1) Our algorithm for determining the local bound mapping 
(Section [Ill-Cb assigns the following local bounds to the 
respective ttansitions C('^o) = C('i'i) = C('^ 2 a) = 

CiT2b) = CiTSa) = CiTSb) = C(t-5) = ({^6) = X, 
Cin) =p. 


2 ) tn(p) = |0 - r - q -p, 0 - r ->• 

T3a,0 ro,0 T3a,0 Ts.O T3a,0 , 

q - p, 0- > q -)■ p, 0- > q - > p} 

3) We get: TB{ti) resp. TB{T 2 a) resp. TB{T 2 b) resp. 
TB{T 3 a) resp. TB{Tzb) resp. TB{t^) resp. TB{tq) = 
TB{tq) X I = I (Definition fTTIi with TB{tq) = 1 

4) For T4 we get: TB{t4 ) = TB{To,T2a,T3a) x 0 + 
TB{ti) X 1 + TB{T5,T2a,T3a) X 0 + TB{ti) X 1 + 
T;B(to,T 3 q) x0+ T;B(t 5 ,T 3 q) xO = nxl + nxl = 2n 
(Definition fTTI) with TB{ti) = n 

5) We get the precise bound n for T 4 when applying the 
optimization presented in the discussion under Defini¬ 
tion [TT] For all K G SH(p) we have atmi{K) = {r,q} 
and atm2{K) = 0 . Therefore TB{t4) = TB{ti) x 
1 + TB{To,T2a,T3a) X 0 + TB{t 5, T2a, T3a) X 0 + 
TB{To,T 3 a) X 0 + TB{T 3 ,T 3 a) xO = nxl=n with 
TB{t{) = n. 
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